Jump to content

I got ransomed by Ouroboros or something like that


Recommended Posts

okay so idk what happened i was sleeping and when i woke up i saw a zip file open with the virus located in the attached zip file. i immediately shutdown my pc and tried using couple of my usbs to try fix windows without logging in.

ps: it didnt work

i was able to get into windows and for some reason my firewall was disabled too. i tried going to Kaspersky website to download the dycryptors but they didnt work.

(I have Premium) Malwarebytes didnt do a good job at stopping that ransomewhere and some of my files are encrypted with .BTC extension

Links:

https://www.virustotal.com/gui/file/28a336f7782290cfbe6f91b1a93a99c25c1fe77e78c47311232a7e6ef25913b1

https://app.any.run/tasks/b017b922-f20f-4e41-b490-2af1fd1b0c9f

https://opentip.kaspersky.com/28A336F7782290CFBE6F91B1A93A99C25C1FE77E78C47311232A7E6EF25913B1/

https://www.hybrid-analysis.com/sample/28a336f7782290cfbe6f91b1a93a99c25c1fe77e78c47311232a7e6ef25913b1

https://analyze.intezer.com/analyses/1acd7d34-4c42-4d6f-86d4-3d946d73cec3/genetic-analysis

 

scan report.txt

Edited by AdvancedSetup
Removed dangerous zip file from post
Link to post
Share on other sites

  • Root Admin

Please let us get some logs @TomerGamerTV

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Something appears to be wrong with your networking which may have played a part. But, it also shows you've had 22,264 web alerts. Did you disable alert messages?

Let me get some Farbar logs and see if we can determine what's wrong with networking

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

We cleaned up your system last year. You're running Kaspersky Cloud which can conflict with our software. You're running a customized DNS hosts file which can possibly also help add issues to other security programs that are trying to manage that.

Windows Defender found issues also and tried to stop them.

At this point, I'm not sure how you want to proceed. Does it look like maybe only some of your data were encrypted? Or does it appear that most were encrypted?

My suggestion would be to back up your data to an external drive. Then do a CLEAN reinstall of Windows and pay more attention to Events and Alerts

Let me know what you'd like to do or what other help I can assist you with.

Thanks

 

 

Link to post
Share on other sites

5 minutes ago, AdvancedSetup said:

We cleaned up your system last year. You're running Kaspersky Cloud which can conflict with our software. You're running a customized DNS hosts file which can possibly also help add issues to other security programs that are trying to manage that.

Windows Defender found issues also and tried to stop them.

At this point, I'm not sure how you want to proceed. Does it look like maybe only some of your data were encrypted? Or does it appear that most were encrypted?

My suggestion would be to back up your data to an external drive. Then do a CLEAN reinstall of Windows and pay more attention to Events and Alerts

Let me know what you'd like to do or what other help I can assist you with.

Thanks

 

 

I uninstalled Kaspersky idk why its still showing there. you have any decryption software for my files? because most of them were ecrypted

Link to post
Share on other sites

  • Root Admin

No software company is responsible for the data on your system. We provide software to help prevent attacks but if you don't keep things working well and don't back up your data there isn't much anyone can do to help you.

You have over 22K alerts. Did you act on any of them?

You have numerous errors in the system, did you fix any of them?

 

 

Link to post
Share on other sites

I cant act on 22k alerts, its probably the programs i use that share internet but i dont think its has to do with the malware because i've been using it a lot and nothing happened.

 

And what kind of errors are you talking about?

 

I think my files are encrypted by BTCamant or VoidCrypt

Link to post
Share on other sites

  • Root Admin

Application errors:
==================
Error: (05/17/2022 10:25:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 34

Error: (05/17/2022 08:41:12 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: tor.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: mbae64.dll, version: 1.13.4.452, time stamp: 0x6271944c
Exception code: 0xc0000409
Fault offset: 0x00000000000838e3
Faulting process id: 0x1778
Faulting application start time: 0x01d86a154bb4bf17
Faulting application path: C:\Users\USER\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll
Report Id: 8a3fff9b-48e7-4149-a579-1f5b000460c8
Faulting package full name:
Faulting package-relative application ID:

Error: (05/17/2022 08:39:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: tor.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: mbae64.dll, version: 1.13.4.452, time stamp: 0x6271944c
Exception code: 0xc0000409
Fault offset: 0x00000000000838e3
Faulting process id: 0x2b24
Faulting application start time: 0x01d86a151a61c0e2
Faulting application path: C:\Users\USER\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll
Report Id: 1633b0a5-b41a-4b02-bb87-3f5285f6af08
Faulting package full name:
Faulting package-relative application ID:

Error: (05/17/2022 08:21:45 PM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: DESKTOP-TMB2HQ1)
Description: Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.

Error: (05/17/2022 08:17:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Excessive name conflicts (23) for 8.D.7.A.8.7.E.8.A.4.B.9.7.1.8.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (PTR); rate limiting in effect

Error: (05/17/2022 08:17:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   25 8.D.7.A.8.7.E.8.A.4.B.9.7.1.8.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. PTR DESKTOP-TMB2HQ1-2.local.

Error: (05/17/2022 08:17:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 172.21.160.1:5353   23 8.D.7.A.8.7.E.8.A.4.B.9.7.1.8.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. PTR DESKTOP-TMB2HQ1.local.

Error: (05/17/2022 08:17:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Excessive name conflicts (22) for 1.160.21.172.in-addr.arpa. (PTR); rate limiting in effect


System errors:
=============
Error: (05/17/2022 10:22:31 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Error: (05/17/2022 09:51:59 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Error: (05/17/2022 09:21:26 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Error: (05/17/2022 08:50:53 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Error: (05/17/2022 08:32:50 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (120000 milliseconds) while waiting for the Intel(R) SUR QC Software Asset Manager service to connect.

Error: (05/17/2022 08:27:16 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (120000 milliseconds) while waiting for the Intel(R) SUR QC Software Asset Manager service to connect.

Error: (05/17/2022 08:19:40 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Error: (05/17/2022 08:18:25 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error:
{Delayed Write Failed}
Windows was unable to save all the data for the file %hs. The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.


Windows Defender:
================
Date: 2022-05-17 17:19:24
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:Win32/Higuniel.A&threatid=2147725777&enterprise=0
Name: Ransom:Win32/Higuniel.A
Severity: חמור
Category: ‏‏תוכנת כופר
Path: file:_C:\Users\USER\AppData\Local\Temp\Rar$EXa27176.30185\RansomwareSupport@ZohoMail.com.exe; file:_C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 1.367.13.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6

Date: 2022-05-17 17:19:06
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:Win32/Higuniel.A&threatid=2147725777&enterprise=0
Name: Ransom:Win32/Higuniel.A
Severity: חמור
Category: ‏‏תוכנת כופר
Path: file:_C:\Users\USER\AppData\Local\Temp\Rar$EXa27176.30185\RansomwareSupport@ZohoMail.com.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Program Files\WinRAR\WinRAR.exe
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 1.367.13.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6

Date: 2022-05-17 17:18:50
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:Win32/Higuniel.A&threatid=2147725777&enterprise=0
Name: Ransom:Win32/Higuniel.A
Severity: חמור
Category: ‏‏תוכנת כופר
Path: file:_C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\system.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 1.367.13.0
Engine Version: AM: 1.1.19200.6, NIS: 1.1.19200.6

Date: 2022-05-17 17:05:11
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2022-05-17 16:07:07
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Ransom:Win32/Higuniel.A&threatid=2147725777&enterprise=0
Name: Ransom:Win32/Higuniel.A
Severity: חמור
Category: ‏‏תוכנת כופר
Path: file:_C:\Users\USER\AppData\Local\Temp\Rar$EXa7244.27210\RansomwareSupport@ZohoMail.com.exe; process:_pid:13632,ProcessStart:132972657168447487
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
Process Name: Unknown
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.19200.6, NIS: 0.0.0.0
Event[0]:

Date: 2022-05-17 16:03:56
Description:
Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Neshta.A&threatid=2147575939&enterprise=0
Name: Virus:Win32/Neshta.A
Severity: חמור
Category: וירוס
Path: file:_\\tsclient\C\dastrasi.exe
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Action: Clean
Action Status:  No additional actions required
Error Code: 0x80070001
Error description: Incorrect function.
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.19200.6, NIS: 0.0.0.0

Date: 2022-05-17 16:03:56
Description:
Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Neshta.A&threatid=2147575939&enterprise=0
Name: Virus:Win32/Neshta.A
Severity: חמור
Category: וירוס
Path: file:_\\tsclient\C\unlocker-setup.exe
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Action: Clean
Action Status:  No additional actions required
Error Code: 0x80070001
Error description: Incorrect function.
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.19200.6, NIS: 0.0.0.0

Date: 2022-05-17 15:54:41
Description:
Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Neshta.A&threatid=2147575939&enterprise=0
Name: Virus:Win32/Neshta.A
Severity: חמור
Category: וירוס
Path: file:_\\tsclient\C\5-NS new - Copy.exe
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Action: Clean
Action Status:  No additional actions required
Error Code: 0x80070001
Error description: Incorrect function.
Security intelligence Version: AV: 1.367.13.0, AS: 1.367.13.0, NIS: 0.0.0.0
Engine Version: AM: 1.1.19200.6, NIS: 0.0.0.0

Date: 2022-05-07 21:10:57
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: Network Inspection System
Error Code: 0x80070006
Error description: The handle is invalid.
Reason: The filter driver has successfully restarted.

Date: 2022-05-07 21:10:54
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: Network Inspection System
Error Code: 0x80070006
Error description: The handle is invalid.
Reason: The filter driver was unloaded unexpectedly.

CodeIntegrity:
===============
Date: 2022-05-17 20:20:20
Description:
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3\x64\antimalware_provider.dll that did not meet the Windows signing level requirements.

Date: 2022-05-17 20:18:56
Description:
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3\x64\antimalware_provider.dll that did not meet the Windows signing level requirements.

 

Link to post
Share on other sites

  • Root Admin

Date: 2022-05-07 21:10:54
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: Network Inspection System
Error Code: 0x80070006
Error description: The handle is invalid.
Reason: The filter driver was unloaded unexpectedly.

 

The system still shows at least part of Kaspersky installed and causing loading issues

CodeIntegrity:
===============
Date: 2022-05-17 20:20:20
Description:
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3\x64\antimalware_provider.dll that did not meet the Windows signing level requirements.

Date: 2022-05-17 20:18:56
Description:
Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3\x64\antimalware_provider.dll that did not meet the Windows signing level requirements.

 

Networking is faulting, which causes other items to not function properly either including Firewall protection, Security software, etc.

 

Backing up your data to an external source has been recommended by all computer support people now for well over twenty years. Backups would prevent this from being such a catastrophe

 

Playing with Torrenting increases the risk as well and is recommended by all security experts to avoid if possible except for legitimate uses.

 

 

Link to post
Share on other sites

  • Root Admin

Please check with Bleepingcomputer and see if there is any tool to decrypt. If there is no tool to decrypt then I would suggest you pull the hard drive out and set it aside in case in the future a key is released.

You could also try imaging it to an external drive.

Then gather all your information and save, store that and do a CLEAN install of Windows and follow better, safer procedures, including backups

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Once you have installed Windows Cleanly then consider the following, going forward.

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

 

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

 

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

Risks of File-Sharing Technology by the Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/uscert/ncas/tips/ST05-007

 

 

If possible the best thing to do is stay away from all torrenting software and file-sharing like that.

 

Link to post
Share on other sites

  • Root Admin

Sorry to be blunt but with all the P2P Torrent software installed and the listing of software installed, the computer looks to have thousands of dollars worth of potentially illegal software on the system.
It really only takes a single program to work as a Trojan and allow some type of exploit or intrusion into the system.

 

 

Go to Control Panel, Programs, Programs and Features and uninstall the following programs

 

  • µTorrent
  • Bonjour
  • ClearVPN
  • Chrome Remote Desktop Host
  • FrostWire
  • IObit Uninstaller
  • IObit Unlocker
  • IPv6 Forwarder for GameStream
  • Java 8 Update 331
  • Kaspersky Security Cloud
  • Kaspersky VPN
  • Mem Reduct
  • OneDash.VPN version 1.0
  • PicoTorrent
  • qBittorrent
  • RiseupVPN
  • WebTorrent
     

 

The logs show you have multiple different digital coin programs. I'm not saying they're bad but I'd be at least skeptical and make sure all are valid and secure.

Do you do programming? You have a plethora of development tools but no real signs of development work


The logs show you have Macrium Reflect Workstation Edition installed. That is software designed to do full image backups. Did you ever use it and create an image of your data on an external drive? You have Synology Drive Client which also would seem to indicate you have an external NAS device for back ups?

You also have VeraCrypt installed. That too could potentially be a source of personally encrypted and saved data. Did you create and save any volumes?

Port Forwarding can be dangerous too

 

 

Open an elevated admin command prompt and type in the following and press the Enter key. You should get an OK success message.

netsh advfirewall reset

 

Then run the following to reset the rest of the network. Then restart the computer.

NETSH winsock reset catalog
NETSH int ipv4 reset reset.log
NETSH int ipv6 reset reset.log
ipconfig /release
ipconfig /renew
ipconfig /flushdns
ipconfig /registerdns 

Make sure you restart the computer.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset on it if you own the router.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

The logs don't indicate that AnyDesk or TeamViewer are installed.

 

 

Link to post
Share on other sites

6 minutes ago, AdvancedSetup said:

Sorry to be blunt but with all the P2P Torrent software installed and the listing of software installed, the computer looks to have thousands of dollars worth of potentially illegal software on the system.
It really only takes a single program to work as a Trojan and allow some type of exploit or intrusion into the system.

 

 

Go to Control Panel, Programs, Programs and Features and uninstall the following programs

 

  • µTorrent
  • Bonjour
  • ClearVPN
  • Chrome Remote Desktop Host
  • FrostWire
  • IObit Uninstaller
  • IObit Unlocker
  • IPv6 Forwarder for GameStream
  • Java 8 Update 331
  • Kaspersky Security Cloud
  • Kaspersky VPN
  • Mem Reduct
  • OneDash.VPN version 1.0
  • PicoTorrent
  • qBittorrent
  • RiseupVPN
  • WebTorrent
     

 

The logs show you have multiple different digital coin programs. I'm not saying they're bad but I'd be at least skeptical and make sure all are valid and secure.

Do you do programming? You have a plethora of development tools but no real signs of development work


The logs show you have Macrium Reflect Workstation Edition installed. That is software designed to do full image backups. Did you ever use it and create an image of your data on an external drive? You have Synology Drive Client which also would seem to indicate you have an external NAS device for back ups?

You also have VeraCrypt installed. That too could potentially be a source of personally encrypted and saved data. Did you create and save any volumes?

Port Forwarding can be dangerous too

 

 

Open an elevated admin command prompt and type in the following and press the Enter key. You should get an OK success message.

netsh advfirewall reset

 

Then run the following to reset the rest of the network. Then restart the computer.

NETSH winsock reset catalog
NETSH int ipv4 reset reset.log
NETSH int ipv6 reset reset.log
ipconfig /release
ipconfig /renew
ipconfig /flushdns
ipconfig /registerdns 

Make sure you restart the computer.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset on it if you own the router.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

The logs don't indicate that AnyDesk or TeamViewer are installed.

 

 

I swear I saw someone controlling my me and saw teamviewer and anydesk opened…. I do some programming and I used macrium to copy my windows to another disk. I used veracrypt to to create an emergency usb but no files on it currently.

 

I can’t do everything you said because I can’t access my windows, it’s stuck in a black screen

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.